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Vito Genovese 
DEF CON ΠΠ 2018 


Capture the Flag 


_I | | 


L (ΤΕ II 


LIEILILILI 


2000 


LI I | 
II I II II III 


2002-2004 


GhettoHacker 
S 


2005-2008 
Kenshoto 


2009-2012 
ddtek 


2013-2017 


Legitimate 
Business 
Syndicate 


Order of 


LI I III. 
LI II III 


1116/2013 5:54:05 PM «global» PPP solved everything with two hours to spare! Call Heinz 
‘cause y ‘all need to სა 


| „ла: 
6/16/2013 5:51:03 РМ >рг < Your teammate PPP solved bob [OMGACM] for 4 points. 1 :49:00 left 
6/16/2013 5:50:58 РМ =private< Your teammate PPP solved bob [OMGACM] for 4 points. 
6/1 6/2013 3 2:11:12 PM «global- You should totally check out OMGACMS. 
6/16/2013 3:28:18 PM »private | 


European NOPSled Team 
ll More Smoked Leet Chicken 

blue-lotus 

Shellphish 
WHAT_Mafia 

Men in Black Hats 
clgt 
9447 

Routards 
'WOWHACKER-B105 
Shell Corp 

Samurai 

sutegoma? 

APT8 

Alternatives 
pwningyeti 
[TechnoPandas] 
RDot.Org 

United States of Russia 
Marauders 

CodeRed 

KAIST GoN 

int3pids 

Robot Mafia 


LI II III 


UL 


lar ISWer 


”- 


LI II III 


0xC6C is a long subroutine, with many calls other subroutines; a closer look reveals 
that each of them gets as input a character of s, in order, and checks it is the 
“correct” one. 


Something helps even more: the exit code when no input byte is correct is 1, when the 
first one is correct is 2, and so on: 


0x93B: 
sub_93B proc near 
rdi, 
short loc_94F 
sub_93B endp 
0x955: 


I did not investigate this any further, and wrote a python script to bruteforce the 
solution byte by byte. 


1 import string 
2 import subprocess 


UL 


POTENT PUNABLES 
В 70 Leo es Pequeno 
ЕЙ 94 badint 


[ 69 peROPdo 
[l] 62 mute 
Ш 142 insanity 
234 reeses revenge 
436 | Hot stuff! Solve this for scoreboard control. | 


DEF CON 
„I... 


mom жа Ва 

жата 
წ 

| 4 | | 


ще, 


LIEILILILI 


asby (100) - 331 solves 


Eindbazen team member asby has by far been putting the most energy and time in 
creating the SHA2017 CTF. To honor his dedication and all his effort we created this 
challenge as an ode to him. 


You can choose to reverse engineer this challenge or you can “asby" it. Good luck 
with the option you choose. 


Fi asby.tgz 742294834834252d45cee82753b3d13b 


НИПИ 
STDIO .exe 


windows] 
ШШЕ 


OOOO 


2. xclient@5196d80f9b61: /asby (docker) 


xclient@5196d80f9b... 361 


xclient@5196d80f9b61:/asby$ wine asby.exe 
What is the flag? hack the planet 
Checking char 1:WRONG! 

What is the flag? Checking char 1:WRONG! 
What is the flag? Checking char 1:WRONG! 
What is the flag? ctf{ 

Checking char 1:WRONG! 

What is the flag? flag{ 

ChecRing char 1:CORRECT! 

Checking char 2:CORRECT! 

Checking char 3:CORRECT! 

Checking char 4:CORRECT! 

Checking char 5:CORRECT! 

What is the flag? flagix 

Checking char 1:CORRECT! 

Checking char 2:CORRECT! 

Checking char 3:CORRECT! 

Checking char 4:CORRECT! 

Checking char 5:CORRECT! 

Checking char 6:WRONG! 

What is the flag? წ 


ШИШЕ 
UL 


° Windows ПППИПИНИЕ 
* 00000000 
* 0000 


OOOO 


წ rb| asby.rb 


require “expect” 


IO.popen("wine asby.exe", 
"r+") do | азру| 


start = "flagí024baa8ac03ef" 


asby.expect "What is the flag? " 
asby.puts start + "\r" 
start.length.times do |nl 
got = asby.expect(/Checking char \d+:CORRECT!\r\n/, 1) 


p got 
end 


actual_flag = ”” 
flag chars = %wí0 1 2 3 4 56 789abcde f MV } 


Loop do 
asby.flush 
flag chars.each do |candidate| 
print "\r#{candidate}" 
asby.expect "What is the flag? " 
asby.puts(start + actual flag + candidate + "\r") 
ргілер”.” 
(start.length + actual flag.length).times do In| 
asby.expect "Checking char #{n+1}:CORRECT!\r\n" 
end 


if asby.expect(/Checking char \d+:\w\!\r\n/, 1).join =~ /CORRECT/ 
puts "სა 
actual_flag += candidate 
puts start + actual_flag 
if ’{’ == candidate 
puts start + actual_flag 
exit 
end 
break 
end 


ALL (44,0) Git:master (Ruby RuboCop YARD comp 


require ‘expect’ 


IO.popen("wine asby.exe", 
"r+") do |asbyl 


start = "flagí024baa8ac03ef" 


asby.expect "What is the flag? " 
asby.puts start + "\r" 
start.length.times do |nl 
got = asby.expect(/Checking char \d+:CORRECT!\r\n/, 1) 


p got 
end 


actual flag = '' 
flag chars = 190123456789 abcdef M } 


loop do 
asby.flush 
flag chars.each do |candidate| 
print "\r#{candidate}" 
asby.expect "What is the flag? " 
asby.puts(start + actual flag + candidate + "\r") 
prince”. 
(start.length + actual_flag.length).times do |nl 
asby.expect "Checking char #{n+1}:CORRECT!\r\n" 
end 


if asby.expect(/Checking char \d+:\w+\!\r\n/, 1).join =~ /CORRECT/ 
puts "\г" 
actual_flag += candidate 
mite start + actiial flag 


end 
actual_flag = ”” 
flag chars = 3010 123456789abcdef \} } 


Loop do 
asby.flush 
flag chars.each do |candidate| 
print "\r#{candidate}" 
asby.expect "What is the flag? " 
asby.puts(start + actual flag + candidate + "\r") 
print." 
(start.length + actual flag.length).times do |n] 
asby.expect "Checking char #{n+1}:CORRECT!\r\n" 
end 


if asby.expect(/Checking char \d+:\w+\!\r\n/, 1). join =~ /CORRECT/ 
puts "\г" 
actual flag += candidate 
puts start + actual flag 
if ’{’ == candidate 
puts start + actual_flag 
exit 
end 
break # out of the candidate loop 
end 
end 
end 


OOOO 


3. xclient@a84249bfa09c: /asby (docker) 


xclient@a84249bfa0... 361 
უეს. LU 


ი е 


6. 
flagi024baa8ac03ef22fdde61c0f1106 
3. 
flagi024baa8ac03ef22fdde61c0f 11069 
r 


flag{024baa8ac03ef22fdde61c0f11069f 
2 
flag{024baa8ac03ef22fdde61c0f11069f2 
E 
flagi024baa8ac03ef22fdde61c0f11069f2f 


|. 
flag{024baa8ac03ef22fdde61c0f11069f2f} 
Qasby.rb:24:in ‘write’: Broken pipe (Errno: :EPIPE) 
from asby.rb:24:in ‘puts’ 
from asby.rb:24:in ‘block (3 levels) in <main>’ 
from asby.rb:21:in ‘each’ 
from asby.rb:21:in ‘block (2 Levels) in <main>’ 
from asby.rb:19:in ‘Loop’ 
from asby.rb:19:in ‘block in <main>’ 
from asby.rb:3:in ‘popen’ 
from asby.rb:3:in ‘<main>’ 
xclientQa84249bfa09c:/asby$ E 


UL 


Же; = 8 
ძ 870 richtten tw 
bile - Zoa 
ener patel Brouwerij op- 
ν $ Uwden, zo doen 
"De 0 m 


<Q ut en met extra 9 


e smaak en stevi9? 


1. ПО 
2. II... 
3. Ш 


VIDEO SCREEN ETC 


A 


一 
E 


* 


° 


~ 
° 


/ L ZZ Z 85-2017 


: 


LI II II | 


“0000 
МЕНЕЕ 
“0000 
„ШЕШТИ 


DEF CON 
Е 


3. xclient@a84249bfa09c: /asby (zsh) 
xclient@a84249bfa0... 361 


This service implements a rubix cube. Solve the cube and win. 


Give me 54 Bytes(ie: 53,12,5,etc): <input 54 comma-delimited chars> 


Left 


L8 L7 LO 
T5 L4 B1 
B8 B3 F8 


Top 


R6 R7 BO 
L1 T4 R5 
A0 B7 R2 


Front 


TO A7 F0 
F7 F4 A1 
A6 R3 L2 


Bottom 
AZ FS ΓΕ 
B5 B4 A3 
ТӨ AS F2 


Right 


R8 F3 L6 
T1 R4 T7 
T2 L3 B2 


Bach 


B6 T3 T6 
F1 A4 R1 
RO L5 A8 


Action(U,U”,D,D”,L,L”,R,R”,F,F”,B,B”): 


24 | I IL IL I_ 
...Shellcode 


Lab RATS on RUDIX 


Lab RATS || | LI I L : 


https://blog.rpis.ec/2017/08/ 
defcon-finals-2017-introduction- 
rubix.html 


Lab RATS on RUDIX 


1. 0009 00000 9 QUL 


netcat 


2. “ემი 9 00000 
>.  |II3C WN 
4. []]] main) 00000 


(II III III I... 


LI II II | 


OUOUUUUUO 
“ПОПОВО * 
“ПОПОВО” 


LI II II | 


“ΠΠΠΗΠΠΠΗ 
“Flags ΠΠΠΗΠΠΠΠΠΠΗ 
UOUUUUUUUUUUUUUL 


"ml 
ЦО: 


OOOO 


OOOO 


0000008 


itimate Business Syndic 


ПОПОВО 2005-2007 LL 
LI I I I. 


"Hur 2012 ПППППППИП 


itimate Business Syndic 


*2012.08: ddtek ПП 
°2012.12: Gyno ПППП 
°2013.02: 0000 
°2013.03: 0000 


itimate Business Syndic 


ΕΙ ΗΘ 

МЕНЕЕ 

° | | : 2014, badger 
0042015, THI 
eU: 2017, CLEMENCY 


itimate Business Syndic 


100% | LL Selir 
II III III III 


itimate Business Syndic 


ΕΚΕ 
Мер || | 


000000006 


00000000 


“UOODO 
I-II I... 
"III I. 


ОШИ 


ΕΕ ΕΕ. 
ΕΕ ΕΕ. 


000000 


LI II II | 


CTF III II III 
UL 


00000000 


LI II II | 


CTF III II III 
UL 


СТЕ 000000 


LI II II | 


I ΕΕ I II II. 
JUL 


000000 


00000000 


0000000000 


OUUUUUUUUULU 
OUUOUUUUUUUUUUDU 
OUUUUUUUUUUUDLU 


*xinetd and runc 


OUUUUUU 


*seccomp 


LI I III II I | 
LI I II III II | 


LI I. II II TL] 
е (0000000000) 


22013: UUUUUUUUUUUUUUD 
©2014: 000000000" 


LI II II | 


“DO000 IP 
“ПОП flag 


LI III I II II CGC [| 


ПО DARPA( 1000000 
00) 00000 2014 


(I III I II II CGC [| 


ΕΕ ΕΕ 
CTF 


LI I | 


LI I II II | 


"CBS, 
°32 ПО 1386 
“UDO CGCEF 0000000 


*ПОООООН 
еСоббобододдо 


LI II III 


OUUUU 
“32 ПО 1386 CGCEF 
“0000 : 
ИГ 
“0000 
“ПОБОООВО 


LI II II | 


е IILILILILIILIILILIL 
“ПОБООО СВ 00008 
е Оббобобббододо 
“ΗΠΠΗΠΗΗΠΗΗΠΗΗ 


“2015: UUUUUU 
T2010: ACOG 08] 


“2017: UUUUUUUUUUUUU 
UL 


000000 


LI I III. 
LIEILILILI 


LI II III 


“ΠΠ DOS 10007 
©] IDA Pro [III] IDA Pro ODC 


* СОООБООВО 


"DULIDEIL] MSP-430 ПП 
° ПО CDMA ΠΠΠΠῊ 


Legitimate 
. 


ო... 


НИИ 


ВО ВЯ LL)... 


ШІНІҢ 


ΓΗ: 
а 


"III 


LI I II II | 


“сос (III IIIILILLLL 
IILIIIIIIIIIIILIIIII 
“ΠΠΠΗΠΠΗΠΠΗΠΠΠΗΠΠΠΓ 


00 cuts / crackme20( 


LI III I I I I IL 
LI III I I IL 


LI I III 2016 


LI II I III III III 
LI I I I I II II III 


“III II III II II II III LI I I. 
J” 


ІШІП 2017 


Rubix ПП shellcode 00000000 
IUDUUUUUUUUUUUUU shellcode 000000 


shellcode 
000000000 shellcode 00000 
ΕΕ ΕΕ ΕΕ ШШЩЕ 


CIT 


OIL 
AAA 


CTF 


III III III III 
| 


UYU 
LI III II II | 


LILILILILILILILILILILILIL 
LILILILILILILILILILILILIL 
i 
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